HPE Security Fortify Secure Coding Rulepacks [SCA] With this release, the Fortify Secure Coding Rulepacks detect 751 unique categories of vulnerabilities across 24 programming languages and span over 860,000 individual APIs. In summary, the release includes rules enhancement and support for the following:
.NET TAP[i] and Entity Framework 6
Coverage of all supported .NET vulnerability categories which pass data through Task-based Asynchronous Pattern (TAP) constructs
Coverage for Entity Framework 6 and extended coverage for the Web.* namespaces in .NET 4.6.2 (extended support covers 12 existing categories and a new category, Insecure Transport: Database)
Coverage for all SDK changes introduced in Swift 2.3, to account for renamed APIs and variables
Detection of the new vulnerability category Predicate Injection
Detection of four new vulnerability categories for authentication bad practices related to NSURLConnection and NSURLSession
Detection of eight vulnerability categories in applications written for the Salesforce platform
Coverage of 15 vulnerability categories for AngularJS1.x core APIs with the ability to track malicious data through the Model-View-ViewModel (MVVM) architecture
Following malicious data through the library’s utility functions for detection of both Client-Side Template Injection and Server-Side Template Injection categories
Detection of untrusted data used in CSV, TSV, or spreadsheet files that can lead to Formula Injection vulnerabilities across Java and .NET native APIs as well as several third-party libraries
DISA STIG 4.2
Correlation of the HPE Security Fortify Taxonomy to the latest version of the Defense Information Systems Agency Application Security and Development STIG, version 4.2 to simplify federal customer compliance.
HPE Security Fortify SecureBase [Fortify WebInspect] HPE SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:
Insecure Swagger Specifications[vi]
Struts 2 OGNL Expression Injection (S2-045, S2-046[vii]), including a newly added attack vector.
SSLv3/TLS Renegotiation Stream Injection Enhancement including vulnerable server configuration[viii]
XSS Enhancement for new attack vectors[ix]
Introduction of two new policies to support workflows in new DevOps process implementations:
DISA STIG 4.2 Compliance Template.
HPE Security Fortify Application Defender HPE Security Fortify Application Defender is a runtime application self-protection (RASP) solution that helps organizations manage and mitigate risk from homegrown or third-party applications. It provides centralized visibility into application use and abuse while protecting from software vulnerability exploits and other violations in real time. For this release, the HPE Security Fortify Software Security Research team provides the following feature improvements:
New protection for zero-day Struts2 S2-045 OGNL Injection
New protection rule, Malformed Request: Bad Content-Type, for detecting and blocking Struts2 S2-045 (CVE-2017-5638)
Jetty application server
RTAP and RTAL rulepack kits support for Jetty application server
Improved accuracy for Cross-Site Scripting and SQL Injection signatures.
HPE Security Fortify Premium Content
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.
DISA STIG 4.2 report
New SSC report bundle providing support for DISA STIG 4.2, to accompany the new correlation in this release.